Department of Energy’s Annual Cyber Defense Competition

Summary

The ever-increasing amount of Internet technology in the modern day makes security a high priority and causes a high demand for cybersecurity professionals in the United States. In fact, ISACA predicts a global shortage of two million cyber professionals by 2019.[1]Unfilled cybersecurity careers will reach over 1.5 million by 2019. With the ever-increasing amount of technology placed on the internet, security becomes a high priority. The Department of Energy (DOE), capitalizing on the expertise of current national laboratory staff that previously hosted two successful cyber defense competitions to exercise interactive, scenario-based events, where teams engage in cybersecurity activities includes methods, practices, strategy, policy, and ethics. Through the cyber defense competitions, DOE has worked to increase 1) hands-on cyber education to college students and professionals, 2) awareness into the critical infrastructure and cyber security nexus, and 3) basic understanding of cyber security within a real world scenario.

Uniqueness

Utilizing critical infrastructure focused scenarios; DOE’s competitions added realistic components to make their competition stand out. This includes a cyber-physical infrastructure, lifelike anomalies and constraints, and actual users of the systems. Additionally, DOE’s competition looks to help participants and volunteers increase their knowledge and understanding of cyber-physical threats, vulnerabilities, and consequences. Moreover, this competition provides students a hands-on security approach to their team’s infrastructure from their servers and virtual machines to the physical devices on their tables. Teams also have the strain of balancing their security with usability; scores of teams include a user’s ability to continue normal work operations.

Energy Focused

Scenarios developed have an energy focus. Previous scenarios have focused on power distributors and water and power delivery systems. Additionally, the scenarios developed look at real-world constraints and lifelike anomalies to include no budget for maintenance or upkeep, deficiency in understanding the system’s needs, website defacement, business meetings, or lack of permission controls.

Cyber-Physical Infrastructure

Unique to DOE’s competition, a cyber-physical device is provided to allow the participants a real-world understanding of the implications for defending critical infrastructure. When power distributor’s cyber infrastructure is compromised, the participants may see the light bulb go out or the water pump stop indicating that there is no power or water being distributed.

Unique Defenses

The competition encourages unique defense strategies and techniques in safeguarding the cyber assets. Teams are scored on their “out-of-the-box” and innovated ideas and defenses. These unique defenses stem from the real-world constraints provided in the scenario such as no budget. Teams develop a working defense utilizing zero dollars and ensuring that the system’s intended purpose is not deprecated.

Usability

Most cyber defense competitions do not take into account usability of the system. DOE’s competition not only adds this element in, but also scores this element as part of the overarching competition. Teams must balance the added security of the system with usability of the system. If the users are unable to navigate the system or unable to complete basic tasks within the system, the team’s usability score will decrease each hour the users are unable to navigate. Additionally, the teams have the added layer of interacting with the users and working through real-world issues and requests made by the users on top of actively defending the networks

Projecting the CDC’s Future

With the exponential increase in interest and growth of this competition space (from nine to 26 registered teams), DOE is looking to expand the current CDC from one to three national laboratories for the April 2018 CDC. The projected awareness campaign will span across Argonne, Oak Ridge, and Pacific Northwest National Laboratories (see Figure 1):

Figure 1: 2018 Projected Awareness

This interconnected competition allows for the national laboratory complex and DOE to assist in the readiness of the future cyber workforce as well as increase the number of participants. With nine participating states out of 50, it is apparent that there are still large gaps within state participation. By adding two national laboratories to the current competition, the radius of potential participation spans the majority of the contiguous United States. A national laboratory in the Northwest aids in the goal of gaining participation from the Western states, and a Southeast national laboratory aids in the goal of gaining participation from more of the Southeastern coastal states.

With additional national laboratories in the CDC, the potential to increase the student participation in future years grows exponentially. Table 1 below outlines the potential growth opportunities for the CDC:

Conclusion

The DOE CDC thrives on having the most impact and beneficial outcomes for participants. The goal is for competing teams to walk away with a more defined and comprehensive understanding of the potential physical impacts of decisions that are made in the cyber realm. Students learn valuable skills for future careers, including balancing security with the usability of the system. Additionally, while a cyber defense competition is considered a game, it also enhances a student’s resume by demonstrating extracurricular professional development.

Overall, the CDC initiative provides various positive outcomes for participating students. Working to align curriculum, which universities nation-wide teach, with the skills that the industry desires is all in the interest and advancement of the future cyber workforce.